Owners of Information Systems must follow general requirements regarding management of access to the information systems which they maintain.


To ensure all Owners of Information Systems which contain Electronic Protected Health Information (ePHI) are in compliance with audit requirements.


This standard applies to Owners of Information Systems.


Owners of Information Systems containing Electronic Proctected Health Information (ePHI) must be able to meet the following general data audit trail requirements:

  • Which users accessed which patient’s data
  • Which patients a user accessed using his/her approved access
  • What data/documents were updated/viewed
  • What access pathway was used
  • When the access occurred

Audit data reflecting this activity must be retained for minimum rentention period as noted in Medical Center Policy 0266 Records Management:  Records/Document Retention and Disposition. 

Applications unable to comply will petition the Chief Information and Technology Officer and the HIT Director of Information Security for a written exemption, and seek approval of a remediation plan to bring the feature to an acceptable compliance level. See Risk Management.

Document Supporting Resources